Allow companies to “hack back” against hackers in ways that could damage third-party systems.

The House could vote as early as this week, so please CLICK HERE to send an email to your Representative.Note: once you send the email, you will be directed to a coalition website to add your name to a petition asking President Obama to veto cyber-sharing legislation… just in case our emails don’t produce the desired result. UPDATE: Please click here to sign the petition asking President Obama to veto the bill.FURTHER READING: On April 21, a coalition of 55 civil-society organizations, security experts, and academics sent a letter to every member of the House strongly opposing the Protecting Cyber Networks Act (PCNA) and laying out the reasons why:

Dear Representative: We, the undersigned civil-society organizations, security experts, and academics write to urge opposition to the Protecting Cyber Networks Act (PCNA, H.R. 1560)[1] if it comes to the House floor for a vote. PCNA seriously threatens privacy and civil liberties, and would undermine cybersecurity, rather than enhance it.

Like its Senate counterpart, the Cybersecurity Information Sharing Act (CISA, S. 754)[2], PCNA would significantly increase the NSA’s access to personal information, and authorize the federal government to use that information for a myriad of purposes unrelated to cybersecurity. The revelations of the past two years about the intelligence community’s abuses of surveillance authority and the scope of its collection and use of individuals’ information demonstrate the potential for government overreach, particularly when the laws’ language is broad or ambiguous. Congress has yet to enact reforms that would effectively rein in the government’s surveillance activities. PCNA also fails to provide strong privacy protections or adequate clarity about what actions can be taken, what information can be shared, and how that information may be used by the government. We strongly urge you to oppose PCNA because it would:[3]

Authorize companies to expand monitoring of their users’ online activities significantly, and permit sharing of vaguely defined “cyber threat indicators” without adequate privacy protections prior to sharing.This could result in the unnecessary scrutiny of innocent Internet users’ online activities and the sharing of their personal information and Internet use, including the content of their online communications.[4]

Require federal entities to disseminate to the NSA automatically all cyber-threat indicators they receive, including personal information about individuals.This requirement fails to cement civilian control of domestic cybersecurity information-sharing, and it could vastly and unnecessarily increase the NSA’s access to innocent users’ information.

Authorize overbroad law enforcement uses that go far outside the scope of cybersecurity.Law enforcement would be allowed to use cyber-threat indicators to investigate crimes and activities that have nothing to do with cybersecurity, such as robbery, arson, carjacking, or any threat of serious bodily injury or death, regardless of whether the harm is imminent. The use authorizations included in this bill undermine traditional due-process protections. They make PCNA a cyber-surveillance bill rather than a cybersecurity bill[5].

Authorize companies to deploy invasive countermeasures, euphemistically called “defensive measures.”The authorization for deploying such measures is narrower than in other bills. However, PCNA still authorizes an entity to deploy a defensive measure that gains unauthorized access to the computer systems of innocent third parties who did not perpetrate the threat, an action that would otherwise violate the Computer Fraud and Abuse Act. It may also authorize defensive measures that unintentionally harm innocent third parties. [6]

Alex Halderman, Morris Wellman Faculty Development Assistant Professor of Computer Science and Engineering, University of Michigan; Director, University of Michigan Center for Computer Security and Society

Dr. Nicholas Weaver, Researcher, ICSI and UC Berkeley [1] Protecting Cyber Networks Act (PCNA, H.R. 1560),https://www.congress.gov/bill/114th-congress/house-bill/1560. [2] Many of the undersigned groups have signed letters strongly opposing CISA for many of the same reasons detailed in this letter. See Coalition Letter Opposing CISA as Reported Out of Committee (April 20, 2015) (on file with New America’s Open Technology Institute); and Coalition Letter Opposing CISA Discussion Draft (March 2, 2015),https://d1ovv0c9tw0h0c.cloudfront.net/files/2015/03/CISA-2015-Sign-On-Letter.pdf. [3] Many of us have several other concerns that are not detailed in this letter, including the breadth of the definitions for “cyber threat” and “cyber threat indicator,” which would allow companies to share information that describes mere attributes of threats. Additional concerns include the scope of the liability protection for information sharing and monitoring, which could lead to oversharing; that the law doesn’t expire; and the creation of the first new category of exemptions to the Freedom of Information Act (5 U.S.C. 552(b)) since it was passed in 1966. [4] Current law already permits companies to monitor their networks to protect their own rights and property. Bill proponents have not explained why vast new monitoring authority is needed. The bill goes far beyond granting authority to monitor simply for advanced persistent threats that could pose a risk to specific information systems of third parties. [5] Other use authorizations that raise concerns include investigations under the Espionage Act, which could result in even more aggressive crackdowns against government whistleblowers and national-security journalists and their sources, and investigations into identity theft and trade-secret violations. [6] Notably, PCNA limits countermeasures to those “operated on and the effects of which are limited to” one’s own system, or another information system upon written consent of its owner (Sec. 3(b)(1)). In contrast, CISA requires countermeasures be “applied to” one’s own network, but does not limit off-network effects that harm third parties. The narrower authorization in the PCNA is undermined by an ambiguous limitation: That limitation suggests that a company may deploy a defensive measure that unintentionally destroys, disables, or substantially harms an information system owned or operated by a third party that has not consented to the operation of such countermeasures.